“Is Windows Defender useless for protection against some viruses” ? Pretty much yes.
If you are relying only on Window Defender and you are not “careful” user, you should probably re-think your choice. From Windows 10, it’s not possible to “simply” disable Windows Defender (unless you are using another antivir or you do advanced steps) it just starts up again after some time. But the bad programs doesn’t need to disable whole Defender, there is another option.
Exclude folder in WD from command line…
I just found out that it’s possible to set “Excluded folder” for Windows Defender from command line.
All you have to do is to execute this command from cmd shell with admin rights.
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
Note: Tested on Windows 10 Pro, version 1709, OS Build 16299.248 / Antivirus Version 1.261.1615.0
And puff, the folder is excluded. Some of you may already have idea how this could be exploited. But let me explain in more detail why I found this disturbing.
Admin rights on Windows
Everyone knows that Windows Admin rights are not that great. Both Mac and Linux have much better system in place. Well if we would talk about the “enterprise”, it’s actually not that bad. Windows has great support for various settings in domain policy.
One of the configurable settings is the fact that we can block executing all the .exe (or other executable) from non protected folders. That means that common users can execute only .exe files which are installed for example in Program Files folder and as you may know you need admin rights for installing (or simply putting) any files inside. But that’s the problem!
Enterprise environment is pretty much safe. But on common computers the admin and user is usually the same account, so…
Program Files as default path for installing
So “C:\Program Files” this path is simply standard for installing the programs on Windows.
Side note: OMG if you are developing a multi-platform software please learn that different OS have different standards for locating the software / user-specific files / temp files etc. And yeah .folder are not invisible on Windows.
But the problem is that it’s protected by admin rights. So every-time you install the software, the installer asks for the admin rights. And we are giving the admin rights to the installer almost without thinking. But you know, theoretically the installer shouldn’t need the admin rights at all. Very often all the installer does is to extract the files / creates shortcuts / puts into all apps menu, registers the uninstaller.
But hey, when we have the admin rights already, we can also change the Windows settings and do much more! So why not go wild right?
Btw when we have admin rights already we could do much more harm, but usually the goal is to be be in the system undetected for as long as possible.
Use case scenario
Let’s talk about the use case scenario.
- Download infected installer with some app. The installer is not detected as virus because the virus payload is hidden deep between the regular code.
- The installer needs admin rights because obviously it wants to install into Program Files
- With admin rights it simply executes the command for excluding specific folder
- It puts the “virus” files into the specific folder. And Windows Defender is going to simply ignore them…
And that’s it, you have infected computer with some **** and in the least worst scenario you are just part of the DDOS botnet but you never know what they could do.
So if the virus is detectable only by observing the actions which it does, this action completely blinds the Windows Defender. As I mentioned the Windows Defender on Windows 10 starts again after some time when you disable it. But it’s no longer necessary to disable WD, just exclude the folder. I am pretty bummed that this is possible and WD doesn’t warn or do anything about it.
But hey I think that all we need to do is to stick to the rule “Never run executable from unverified source you don’t trust.” And yeah that means no pirated software. But did you noticed that almost all the apps have free ( open source ) alternatives? So try that or just invest the bucks and buy the software – the authors usually deserves it. Or just switch to Linux.
I personally did not have any virus on my computers for at least 4 years or more? Or maybe they are hidden in my excluded folders all this time?